By: Germaine Tan, VP of Cyber Risk Management, Darktrace

We’re all familiar with QR codes. Go to a café, and chances are they’ll have a QR code on their menu to make ordering seamless. Many products now feature a QR code on their packaging to make finding information about what you’re buying easier. In fact, Juniper Research has predicted that the number of QR Code users will exceed 2.2 billion in 2025, increasing from 1.5 billion in 2020.

But there’s a dark side to QR codes. Cyber criminals are constantly innovating, and recently the phenomenon of QR phishing, or ‘quishing’, has emerged. 

Cybercriminals are constantly innovating and becoming more sophisticated

Quishing is the use of scam QR codes to steal money and data and is an evolution of the email phishing scams we have all grown used to. It’s an example of how cyber criminals are becoming increasingly sophisticated in the vectors they use to obtain credentials, get access to corporate networks, and extort the individuals and companies they have compromised. 

In fact, Darktrace has seen a 35% growth between September and December 2023 in novel social engineering attacks, following a 135% increase, on average, in these attacks in January and February last year. These are attacks using sophisticated linguistic techniques, including increased text volume, better punctuation, longer sentence lengths, and with no links or attachments. The pace with which these threats evolve is only going to get faster thanks to the rise of generative AI. 

Quishing is one of the socially engineered attacks cyber criminals are using. The ubiquitous nature of QR codes means people are inclined to trust them, leading to scammers embedding them into phishing emails to quish. 

When a user scans the code they’re often taken to a legitimate looking website where they’re asked for personal information. Scammers are aiming to use this personal information for credential harvesting, hoping to find a way into your locked accounts.

Darktrace has seen,  an increase in the volume of quishingemails, meaning criminals are shifting their tactics and are, as always, following the money. From May to July 2023, Darktrace’s observed a 59% average increase in phishing attacks featuring multistage payloads. These sophisticated email phishing scams prompt the recipient to take multiple actions before delivering malware or attempting data theft – quishing is just one example of this kind of attack. 

Why traditional cybersecurity struggles with quishing

Conventional cybersecurity email gateways rely on rules to detect phishing attacks. But there are no threat intel feeds for novel threats like QR codes. Inspecting every image attached to an email on the chance it contains a QR code is time consuming and expensive. This means quishing emails can more easily get through to users, leading to a rise in attacks.

The rise of generative AI has also made it quicker and easier for scammers to create legitimate sounding emails and embed QR codes into them, all automated by the push of a button. Darktrace’s recent State of Cyber AI survey revealed that nearly three quarters of security leaders believe AI-powered cyber threats are already having a significant impact on their organisations. 

How to defend against quishing

User education is one of the most important defences businesses have against cyber threats. For users, the key things they need to know about quishing is to be cautious of unexpected or untrusted QR codes. If in doubt, don’t scan the code, and always be cautious of QR codes found in random places or from unknown sources.

It’s also important to verify the link before scanning: If possible, use a separate app to scan the code before opening the link. Many QR scanner apps will display the destination URL before you open it, allowing you to check for suspicious or unfamiliar domains.

Users should also look for visual clues and check if the QR code looks blurry, pixelated, or tampered with. Legitimate codes are usually printed neatly and clearly. It’s important to only scan codes from trusted sources. If you’re unsure about the source of a QR code, err on the side of caution and don’t scan it.

But looking for errors in the presentation isn’t the only answer. The increased sophistication of these scams requires an increase in technology solutions to help protect businesses and support users. AI powered email security enables the identification of quishing by understanding which emails are normal and therefore, likely legitimate and finding subtle deviations from the norm to highlight malicious emails. Even when they’ve never been seen before.

Within security teams, quishing is a further example of attackers’ continuously shifting tactics and increasing sophistication. Teams can stay ahead by taking a proactive stance. That begins by minimising time spent on alerts and triage and building a true view of their digital footprint.  AI tools can help with both of those by building that view and automating investigation and reporting. At Darktrace, we’ve seen from multiple organisations that the time saved by these steps allows security teams to begin proactively building their resilience, from creating user education programmes to practicing quishing led attack scenarios (again, AI can make these realistic and valuable), to proactively identifying the highest vulnerability targets and hardening them against attacks. Proactive security provides the best defence against any attack – quishing and beyond.